UNIX Security: Don't Believe the Truth? 520
OSNews has an interesting editorial about security on UNIX-like systems. "One of the biggest reasons for many people to switch to a UNIX desktop, away from Windows, is security. It is fairly common knowledge that UNIX-like systems are more secure than Windows. Whether this is true or not will not be up for debate in this short editorial; I will simply assume UNIX-like systems are more secure, for the sake of argument. However, how much is that increased security really worth for an average home user, when you break it down? According to me, fairly little"
Backup (Score:4, Insightful)
I'll Field a Few Questions (Score:4, Insightful)
If "Johnny's first day at school" is more important that system critical resources, perhaps you should have hard copies (CD, DVD, tape, etc.) of this media.
You're right, you should make backups. You have a love-affair-dependency on your hard drive. Everyday you need it to retain the ones and zeros it holds that forms your data. One day, your personal hard drive isn't going to be there for you. That's why you should back up regardless of how secure you feel. Most "normal home users" don't have redundant RAID arrays running. Furthermore, it isn't "secure period," it's touted to be one of the most secure operating systems. Wait, weren't we talking about Unix?
I don't think anyone but Mac users claim that. And anyone that claims that for any processing device is lying to you. There are Linux Viruses [viruslibrary.com] out there, just use your favorite search engine.
Oh good, we're back on Unix here (they're not exactly the same, you know). I disagree, both sides (user and system) are more secure in the case of Unix or Linux for that matter.
While this might be true, I think you should take into account the frequency of said viruses [theregister.co.uk]. When's the last time a massive virus attack has taken down entire networks of Unix machines? So you talked about Unix security without quoting a single authoritative source on the issue. And to finish off this article, you rely on a one-hit wonder brit pop band to prove your thesis. May Slashdot have mercy on your soul, Thomas. Endure the onslaught.
Doesn't Matter So Long As It Works (Score:5, Insightful)
and a triumph for the home user. If you had to choose between having a virus that both destroys your personal files and compromises your system or a virus that only destroys your personal files, which would you pick? He's making light of a very significant thing for most home users--a full wipe and reinstall of the operating system and applications. That's a day's work for your typical user, more if you have a bunch of programs you need to go hunting for.
But what is more important to a home user? His or her own personal files, or a bunch of system files? I can answer that question for you: the pictures of little Johnny's first day of school mean a whole lot more to a user than the system files that keep the system running.
What's the value of Johnny's first day of school photos if you can't boot the damned computer? Again, the author makes light of the value of the system to the home user. Just because John Q. Public cares more about his cup holder than his engine block doesn't mean he won't care when the cylinder head cracks.
Of course, they should make backups-- but wasn't Linux supposed to be secure? So why should they backup? Isn't Linux immune to viruses and what not? Isn't that what the Linux world has been telling them?
Actually, no. I have yet to speak with a single techie who says that you don't need to back up important files under any circumstances. In fact, viruses are almost always a "secondary" reason for backing up files; the primary driving reason behind backing up your files has traditionally been that of hardware failure.
The crux of his entire argument rests on the supposition that, to the home user, the system simply doesn't matter. In a most cosmetic sense, this is true; home users don't give a damn about kernels and drivers. The instant something goes wrong with that system, however, it's a nightmare for that archetypical home user (who, remember, doesn't know and doesn't care how the thing works). When everything works, they can open and print Johnny's files just fine, but what the heck are you supposed to do when the omgwtf32.dll pops up an error message when you try to open Johnny's picture?
Open Source (Score:2, Insightful)
The ability to change and fix problems within the code? I mean I'm not a top level programmer who is constantly editing his kernel source code, but I have changed quite a few applications to benefit my needs.
Re:Backup (Score:5, Insightful)
Google "How to use cron".
The OS already can be set up to do this. The premise of the article is flawed; and based on a premise that I reject. Chances are, if you're smart enough to run Linux, then you're probably smart enough to backup your important files.
Plus, given the author's scenario - let's flip it around: A Windows virus can bork your data and your OS. At least with UNIX, backups notwithstanding, the OS is still there and you'd have a much better chance at recovering your data than you would with Windows.
Mod article -1, Flamebait.
Bastille-Linux (Score:3, Insightful)
Wrong. (Score:5, Insightful)
Re:Backup (Score:3, Insightful)
less risk of any holes being exploited (Score:3, Insightful)
Unix can be hacked/cracked too, just there's less likelihood and there less risk associated with running a *nix based O/S.
His objections are utterly unfounded (also stupid) (Score:4, Insightful)
This idiot is stating that because some users don't understand the UNIX security model, the UNIX security model is flawed. Apparently, as far as he's concerned, if ~ gets destroyed, the whole system may as well be destroyed. He's blathering about a "false sense of security," but I have never, anywhere, ever, heard anyone say that you don't have to back up your data if you run UNIX.
Sound and fury, understanding nothing. Typical of OSNews, but sad that Slashdot's carrying this crap.
Come on guys (Score:4, Insightful)
Are the editors even paying attention here? How can a 500-word, Grade 6 public speech-quality editorial makes it to the frontpage? Where is the quality here, folks?
Re:I'll Field a Few Questions (Score:3, Insightful)
So, in effect, the user who was attacked was quarantined, making things _more_ secure.
Unix was a joke for years (Score:3, Insightful)
Its laughable today because it was before the holes in Windows2k were discovered but there is some truth. VMS and MVS were standard and rock solid with security. Unix like Windows was written in C with parts of c++ scattered here and there with userspace apps. Buffer overflows galore are everywhere.
Even MacOS (not Macosx) was more secure for the reason that it did bounds checking on types. Add to that the fact that x86 can not tell the difference between cache stored for ram and cache stored for applications where you can just point to where a program is stored for execution and you have a nightmare on yoru hands.
Keep in mind I am no expert and I dont even have my 2 year degree yet. Perhaps someone more knowledgable can clarify how the compilers work?
Unix is surely better than Windows but VMS is about gone and who uses mainframes anymore besides a selected few users who need them?
Standards are good but there is no diversity left in platforms. Its too bad VMS just died and stayed closed. It would be nice to have something besides just unix and Windows
Classic "Straw Man" argument (Score:4, Insightful)
Re:Wrong. (Score:5, Insightful)
So a libpng buffer overflow, allowing a png image rendered in mozilla to execute code can't be harmfull? Sorry pal, but this is not a problem with the OS, but the applications and libraries.
Re:Backup (Score:1, Insightful)
Second since when was it true that Windows backed up the data? As he says in the article Windows and Linux do the same for that.
I would take the car with airbags (linux / unix with security and less vulns) over the car with a shaky tinfoil frame that I always need to take to the shop -- even if that photograph I have pinned on the sun visor gets burned in both cars if I get in an accident.
I don't see the point of this terrible "article" (if it can be called anything more than a short, unsubstantiated rant) or why it was posted anywhere, let alone
Re:Doesn't Matter So Long As It Works (Score:3, Insightful)
Besides, I mostly don't hear that Linux (or any UNIX-like OS; collectively referred to by myself as "unixen" or maybe "unices") is automatically and inherently more secure than any other OS (except a few rare cases whose main purpose is security, such as OpenBSD); the truth (which is what you find if you pay attention) is that it's easier to secure, and can be secured better.
I'm not sure how important that is anyway. The bugaboo for typical home users is so rarely a targetted attack on their data. Rather, it's the daily destruction of their OS by common malware. Their data generally survives even the worst collections of OS-crashing adware, spyware, virii, and Sony rootkits. In this arena, unixen are much better, with their limiting the user to a home directory.
Of course, OTOH, practical usability (including the fact that Windows is almost exclusively common as the pre-installed OS, and the OS for which classes are available everywhere and for which applications are taught at schools) for joe schmoe still leaves Windows as the most satisfactory for such users.
Meanwhile, I'm off to test a bunch of modern Linux distributions (as well as a few BSDs and an Amiga OS clone) on old hardware to see what runs best for my purposes (one as a file server, another as a combination thin VNC and RDP client and print server)...
Not true at all (Score:4, Insightful)
However, in UNIX culture, there is something. The first rules of security.
First, the default installation should not act as a server operating system. The system should not respond to ANY outside requests for anything unless enabled to by the system admin.
Second, no action on the system should be performed with any more than the minimum set of privileges necessary. Everything should be done with user privileges, not system privileges, unless absolutely necessary.
The use of these basic security rules applied more or less throughout the UNIX world, and for MAC OS X as well. Windows INTENTIONALLY ignores these rules in order to "maximize the user experience", and in doing so spawned a multi-billion dollar anti-virus industry.
and one egregious error (Score:5, Insightful)
An analogy one might usefully make is to the highway: good system-level security is like a well-designed, well-lit highway. Sure, the user (driver) can still kill himself, but he has to behave unusually recklessly. On the other hand, poor system-level security is like a rutty, unexpectedly curving dark country road. Even reasonably careful drivers at moderate speeds can get in trouble.
The guy is focussing on the fact that in both cases the driver can get himself killed. But that isn't the whole story. One "road" (system) makes it easier for a moderately careful "driver" (user) to survive. The other puts even careful "drivers" at risk. And, of course, there's the obvious fact that no "road" (system) can possibly protect the completely reckless "driver" (user).
Re:I'll Field a Few Questions (Score:1, Insightful)
Re:Doesn't Matter So Long As It Works (Score:4, Insightful)
System files are fungible; user files are not.
If my OS gets trashed but my photos are unscathed, I can still view them if I rebuild the OS using the install discs -- or I can even switch to a different OS entirely, and the photos will be viewable there. It may take some time to recover, but it's possible and even likely.
If my photos get trashed, though, and I don't have a a good backup copy, they're gone forever. There's nothing that can be done.
Security?! (Score:3, Insightful)
For most home users THAT'S important (bank details, order details, hell even my address and phone number). You imagine how well a phishing attack would work on most users if they knew about open orders (from say Amazon) by reading your files. I think that's much more important to most users!
Of course we all backup our files! Jeesh this is
He misses a big benefit for a "Family Computer" (Score:4, Insightful)
Sure poor computing practice by the user that owns the files could result in their destruction. Nothing gained versus Windows there. But in a family computer scenario, more is gained than the author admits. On Windows systems, many programs are (mis-)designed to require administrator rights even just to run them. This is not generally the case on UNIX-derived systems. As a result, accounts for family members will often be in the local admin group. So on a family computer if you give Little Johnny an account to run his software and play games, and he goes and downloads the latest malware and runs it, it can nuke your data as well as his.
Under a typical scenario under a UNIX-like system he can only destroy his homework and saved games, not your pictures of his first day of school along with them.
That's got to be a non-negligible benefit to the family user that the author completely discards.
Re:Backup (Score:3, Insightful)
I think it's time to face the facts: Linux may still be mainly for geeks -- but it no longer requires a PhD to run it on a daily basis.
Re:Interesting (Score:2, Insightful)
Under Linux you'll be pretty safe if you use the default firewall settings on an install and run your package updater after install and set it to auto update.
Under Windows you have to do the above, and then try to manipulate it into allowing you to run as a non admin user (something it doesn't do by default). In fact locking down Windows in this manner is a bit of a pain, and it's even more of a pain when you want to install something or run stupid software that, due to the Windows defaults, expects administrator access.
Measuring security is diffucult but I can't help thinking the Linux community is becoming a bit complacent about security.
I don't see this at all. As far as I can tell, major security problems in Linux seem to get fixed a lot faster than ones in Windows. In addition we have a much better firewall than what comes with Windows. We have stuff like SELinux if you really want to lock stuff down, and much better software raid support if you want to protect your data.
The 1990s called... (Score:3, Insightful)
As far as the rest goes, the data are very important but people don't protect them well in any case. However, downtime is important - or not really downtime, since they can spend a week to have it fixed - but every time they have to get someone to fix it, that is a big annoyance. If you can keep the system clean (and if you're good, have the Admin/root account take backups to somewhere the user doesn't have access) you're saving yourself a bundle of time and problems.
Re:Interesting (Score:4, Insightful)
1. While there is a great deal more Windows around than UNIX, UNIX is where the money is. If you want to extract large sums of money or steal swathes of identities then UNIX servers tend to be the systems hosting these backend services. So UNIX should be the target of hackers wanting to make serious money while much of the Windows activity is concentrated on hacks designed to produce the maximum public impact most of which cost because they down systems rather than extract cash from systems. The fact that almost all the money making hacks concentrate on Windows is testiment to the factthat it is difficult todo on UNIX.
2. Much of UNIX is OpenSource or available as source code, despite this there have been very few examples of ethical hacks or demos of vunerability that have been viable generated by security research companies or ethical hacking groups.
3. Stack overflow holes account for a huge chunk of the Windows vunerabilities mainly because Windows and x86 lack generic protection against these specific overflows. This is not true of UNIX particularly if it isn't running on Intel. Solaris for example has specific controls which limit the options for stack overflows as does the SPARC processor. These controls make it more difficult for hackers to generate exploits that remain viable.
4. There have been vanishingly tiny numbers of viable reported UNIX virii, none in the case of Solaris.
Re:That's not exactly correct (Score:3, Insightful)
I would agree with your statement, just adding that software written to run only as admin is considered poor programming practice on Windows, even if it is often the norm.
Err... (Score:2, Insightful)
----- /home/$USER
#
# Nasty file deleting virus thingy
#
#!/bin/sh
rm -rf
echo "Hahahahahaha"
-----
He seems to have entirely failed to understand that if viruses (or other unwanted nasties) can't gain access at system level it's much harder for them to replicate themselves round the network automagically (something which is true for all OS's, inc Windows). This means that whilst you might lose your files, everyone else on your network doesn't have to join you in your misery.
The article seems basically to be a complaint that unix doesn't stop you deleting your own files, which is roughly equivalent to complaining that your gun didn't come with a mechanism to prevent you from shooting yourself in the foot.
Re:Backup (Score:3, Insightful)
Designed as a UNIX follow up (Score:2, Insightful)
I wonder if the shareholders have a case for mismanagement?
Re:Backup (Score:3, Insightful)
The same reason that Linux users don't have reasonably strict SELinux policies in place on their machines - a lot of applications are still stuck in the older model and don't play nice with Windows if you aren't the Adminstrator, or Linux if you try and confine their access to reasonable least privilege. What I find interesting is that both Linux and Windows have this issue but people keep ignoring the Linux side - more effort needs to be put into making SELinux and similar security systems workable with good policies even on general workstations. Linux users need to start expecting more of their applications with regard to security.
Jedidiah.
Home users (Score:2, Insightful)
At any rate, I had a sort of epiphany: Users don't want to learn - they don't want to tweak. Most users just want it to _work_. They don't care about bells and whistles, if it doesnt do what they want it to do in a quick fashion, they dont want it.
Its sad, but true. Secure or not, I find it very difficult to believe that linux, unix, or any other OS will take away Microsoft's advantage - they intend on getting things to work automatically so _anyone_ can use it. I've been using computers for 9.5 years myself, and some of the things I have to do in LInux take a long time to do for me (partially because I'm not familiar with it) becuase I have to read the extensive documentation.
And there are times that I have just wanted it to 'effin' work without havnig to RTFM of 60 pages
Re:Because it makes things work. (Score:2, Insightful)
Just the average Windows user? Hell, it's more work than I'm willing to put in, and I feel fairly comfortable with admining Windows.
The thing I like about admining Linux is that the system tools are designed to make things so much easier and so much faster, and make the bulk of the work rest in setting up programs and configuration files.
For instance, let's try changing the password.
Can you guess which is faster? Hint: the wrong answer is the one made by Microsoft. How about which one is easier? This one's a trick question, because the GUI does make things a tad easier...until you learn the syntax for the command-line version, then it's just there to be pretty.
It's the same for a bunch of other crap as well. Configuring via text files (a number of which briefly describe each setting in a commented section of the file; more details can be found in it's man entry) is infinitely faster than going thru 3-4 windows to get to a configuration screen where you can only, at best, change a handful of options, and the rest are located in the nightmarish Windows Registry with absolutely no explanation as to what each setting does.
I'd sooner have good admin tools that 'just work' as opposed to the programs I plan to install, 'cuz I'm going to be putting a great deal of effort into setting them up anyways. Just easier that way.
Marketshare is a straw man argument (Score:3, Insightful)
But this does not explain why the exploits which provide vectors for attack exist. Perhaps marketshare plays into this as well where developers at MSFT have become lazy and complacent with their commanding market position.
Let's stop blaming users for security problems and lay blame squarely on the developers themselves. If any company deserves a class action lawsuit, I would say MSFT does when you consider the amount of money spent compensating for their incompetence.
Re:Backup (Score:2, Insightful)
Re:Doesn't Matter So Long As It Works (Score:3, Insightful)
It's called "reading". (Score:3, Insightful)
"Yep. It is possible. But it is more work than the average Windows user will want to put into it."
Then you asked:
So I provided you with specific links describing the specific problems and even HOW those problems arise.
So you replied: Yeah. No one ever said that it was IMPOSSIBLE.
What I said was that it was more work than the average Windows user was likely to put into it.
Did you understand it that time? Do I have to repeat it again for you? I do? Okay, I will.
Under Windows, it is far easier for the average user to just run as adminstrator than it is for them to fix the apps that don't work right as a non-administrator user.
NOT "impossible".
And the reason that is it far easier is because the average user must, somehow, FIRST learn why running as administrator is a BAD THING.
Back in the old days, we had real trolls. We had trolls who knew MORE about the systems than the admins. We had trolls who could tear apart a TCP/IP packet.
Now, all we have are these "search Google for me" trolls. It's a sad day for trolls everywhere.
Re:Backup (Score:1, Insightful)
perhaps linux isn't hard to USE anymore (although such a statement is not my opinion), but that only matters after the endless initial "tweaking" is complete.
Two weeks? Really, you can't use gentoo as the standard to describe linux distributions. Seriously. When was the last time you installed linux? Most linux distributions no longer require any tweaking whatsoever. And while we're on that topic, I might as well point out that a new windows install requires a lot of time and effort to set up, ie install updates, drivers and useful programs. I have never installed OS X so I can't say anything about the process.
Oh yeah, don't try to say that most windows users never have to install the OS. I don't know where those stats came from - everyone I know that owns a computer has had to reinstall windows at least once. The majority of them were average users too.
Why Windows People Run as Admin (Score:3, Insightful)
I hear this a lot, but there's actually a pretty good reason. Windows feels restrictive as a normal user, because its filesystem and registry permissions are so haphazard. Many programs won't even run in a non-admin account at all. UNIX is designed to make the user feel quite unrestricted as a normal user, and conventions like sudoers take this principle even further without compromising the overall security of the system.